Legal & Policy Provisions for Healthcare Data Security

US Healthcare today is largely dependent on technology-enhanced systems for administrative and clinically-based functions such as claims and care management, computerised physician order entry systems, radiology, pharmacy, and laboratory systems and self-service applications. Through electronic health records (EHR) and protected health information (PHI), patient data can be accessed rapidly and from multiple locations, making healthcare service better. As a result, however, healthcare data security has become problematic. Access by many data handlers has made the data accessible to breaches as well. The Office of Civil Rights (OCR) regularly publishes a chronological listing of such data breaches.

According to Know your enemies 2.0, a 2016 report by the Institute for Critical Infrastructure Technology, healthcare providers have become the main target for cyber attackers. Healthcare breaches were among the top 7 cyber attacks of 2015. Anthem had the highest number of data breaches – a total of 112 million records. The hack left private information, including the social security of 80 million customer and employee accounts, ripe for use by cybercriminals. The accounts contained information that cannot be changed – birthdates and social security numbers that can be used for identity theft and insurance fraud.

Cybersecurity for Health Information

Healthcare is considered one the 16 sectors of critical infrastructure; the backbone of US society. With the rise of digital information, cybersecurity is vital – a way to prevent, detect and respond to risks and threats to data and computer systems that support critical infrastructure such as healthcare.

The Administrative Simplification Provisions, Title II of The Health Insurance Portability and Accountability Act (HIPAA) of 1996, became the first legislation of its kind to provide privacy and security provisions for health information. These are fundamental compliance regulations pushing for cybersecurity in US healthcare organisations and associated entities that maintain, receive and transfer patient data.

Additionally, February 12, 2013, marked President Obama’s Executive Order 13636 “Improving Critical Infrastructure Cybersecurity,” signaling the development of a cybersecurity framework to help reduce and manage cybersecurity risks for critical infrastructure.

HIPAA Requirements for Covered Entities

HIPAA Title II has four (4) basic cybersecurity requirements for covered entities:

Adoption of the 10-digit National Provider Identifier (NPI) to identify itself as a HIPAA-covered healthcare provider

Establishment of security standards and regulations for electronic data interchange or EDI, used to submit and process insurance claims

Compliance with the HIPAA Privacy Rule, or the Standards for Privacy of Individually Identifiable Health Information

Compliance with the HIPAA Security Rule, or the Security Standards for the Protection of Electronic Protected Health Information

HIPAA violations that ignore these requirements can be costly—up to $ 1.5 million and criminal penalties.

HIPAA Privacy Rule

The HIPAA Privacy Rule is composed of national regulations for the use and disclosure of PHI in healthcare treatment, payment and operations by covered entities. Such federal protection of the PHI should be balanced to avoid creating unnecessary barriers to healthcare – use and disclosure of PHI requires authorisation of the patient, as well as ready access for patient treatment and efficient payment. It functions as health information privacy rights, helping users know and control how their PHI is accessed.

HIPAA Security Rule

The HIPAA Security Rule is made of national standards and provisions to keep electronically transmitted PHI, or ePHI, secure. It requires covered entities to keep administrative, physical and technical safeguards in place to do so. The Health Information Technology for Economic and Clinical Heath (HITECH) Act of 2009 is a 77-point compliance checklist of these safeguards.

However, theory and practice are often different things. These provisions and safeguards don’t dictate the specific cybersecurity measures and technologies that HIPAA-covered entities should develop and enforce. The application is entirely up to them. These provisions and standards merely establish the need for compliance and practice for cybersecurity in a data-vulnerable health sector. Sadly, cybersecurity failures and bad practices have arisen and persisted in their interpretation and practice.